With Cisco ASA firewalls, you can integrate multiple enterprise-class, next-generation network security services without sacrificing performance. Cisco ASA combines the most deployed stateful inspection firewall in the industry with next-generation firewall capabilities.
Read more about the ASA 5500 and ASA 5500-X Series for small and branch offices.
| Cisco ASA Model | ASA 5505 / Security Plus | ASA 5510 / Security Plus | ASA 5512-X / Security Plus | ASA 5515-X |
|---|---|---|---|---|
 |
 |
 |
|
|
| Stateful Inspection throughput (max1) | Up to 150 Mbps | Up to 300 Mbps | 1 Gbps | 1.2 Gbps |
| Stateful Inspection throughput (multiprotocol2) | - | - | 500 Mbps | 600 Mbps |
| Next-Generation throughput3 (multiprotocol) | - | - | 200 Mbps | 350 Mbps |
| IPS throughput4 | Up to 75 Mbps with AIP SSC-5 | Up to 150 Mbps with AIP SSM-10; 300 Mbps with AIP SSM-20 | 250 Mbps (Extra hardware module not required) |
400 Mbps (Extra hardware module not required) |
| Concurrent sessions | 10,000 /25,000 | 50,000 /130,000 | 100,000 | 250,000 |
| Connections per second | 4,000 | 9,000 | 10,000 | 15,000 |
| Packets per second (64 byte) | 85,000 | 190,000 | 450,000 | 500,000 |
| 3DES/AES VPN throughput5 | 100 Mbps | 170 Mbps | 200 Mbps | 250 Mbps |
| Site-to-site and IPsec IKEv1 client VPN user sessions | 25 | 250 | 250 | 250 |
| AnyConnect or clientless VPN user sessions | 25 | 250 | 250 | 250 |
| Cisco Cloud Web Security users | 25 | 75 | 100 | 250 |
| VLANs | 3 (trunking disabled) / 20 (trunking enabled) | 50 / 100 | 50 / 100 | 100 |
| High-availability support6 | Not available | Not available; A/A and A/S | Not available; A/A and A/S | A/A and A/S |
| Integrated I/O | 8-port FE with 2 Power over Ethernet (PoE) ports | 5-port FE / 2-port 10/100/1000, 3-port FE | 6-port 10/100/1000 | 6-port 10/100/1000 |
| Expansion I/O | Not available | 4-port 10/100/1000 or 4-port GE (SFP) | 6-port 10/100/1000 or 6-port GE (SFP) | 6-port 10/100/1000 or 6-port GE (SFP) |
| Dual power supplies | Not available | Not available | Not available | Not available |
| Power | AC/DC | AC/DC | AC/DC | AC/DC |
1 Maximum throughput with UDP traffic measured under ideal test conditions
2 Multiprotocol = Traffic profile consisting primarily of TCP-based protocols/applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS
3Throughput was measured using ASA CX Software Release 9.1.1 with multi-protocol traffic profile with both Application Visibility Control (AVC) and Web Security Essentials (WSE). Traffic logging was enabled as well.
4 Firewall traffic that does not go through IPS service can have higher throughput.
5 VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken into consideration as part of your capacity planning.
6 A/A = Active/Active; A/S = Active/Standby
Cisco ASA next-generation firewalls are available in a wide range of sizes and performance levels to fit your network and budget. They also combine stateful inspection and next-generation firewall capabilities with a comprehensive suite of next-generation network security services. There's a solution to meet your evolving security needs — for security without compromise.
Read more about the ASA 5500 and ASA 5500-X Series for the Internet Edge.
| Cisco ASA Model | ASA 5520 | ASA 5525-X | ASA 5540 | ASA 5545-X | ASA 5550 | ASA 5555-X |
|---|---|---|---|---|---|---|
|
|
|
|
 |
|
|
| Stateful Inspection throughput (max1) | 450 Mbps | 2 Gbps | 650 Mbps | 3 Gbps | 1.2 Gbps | 4 Gbps |
| Stateful Inspection throughput (multiprotocol2) | - | 1 Gbps | - | 1.5 Gbps | - | 2 Gbps |
| Next-Generation throughput3 (multiprotocol) | - | 650 Mbps | - | 1 Gbps | - | 1.4 Gbps |
| IPS throughput4 | Up to 225 Mbps with AIP SSM-10; 375 Mbps with AIP SSM-20; 450 Mbps with AIP SSM-40 | 600 Mbps (Extra hardware module not required) |
Up to 500 Mbps with AIP SSM-20; 650 Mbps with AIP SSM-40 | 900 Mbps (Extra hardware module not required) |
Not Available | 1.3 Gbps (Extra hardware module not required) |
| Concurrent sessions | 280,000 | 500,000 | 400,000 | 750,000 | 650,000 | 1,000,000 |
| Connections per second | 12,000 | 20,000 | 25,000 | 30,000 | 33,000 | 50,000 |
| Packets per second (64 byte) | 320,000 | 700,000 | 500,000 | 900,000 | 600,000 | 1,100,000 |
| 3DES/AES VPN throughput5 | 225 Mbps | 300 Mbps | 325 Mbps | 400 Mbps | 425 Mbps | 700 Mbps |
| Site-to-site and IPsec IKEv1 client VPN user sessions | 750 | 750 | 5,000 | 2,500 | 5,000 | 5,000 |
| AnyConnect or clientless VPN user sessions | 750 | 750 | 2,500 | 2,500 | 5,000 | 5,000 |
| Cisco Cloud Web Security users | 300 | 500 | 1,000 | 1,500 | 2,000 | 3,000 |
| VLANs | 150 | 200 | 200 | 300 | 400 | 500 |
| High-availability support6 | A/A and A/S | A/A and A/S | A/A and A/S | A/A and A/S | A/A and A/S | A/A and A/S |
| Integrated I/O | 4-port 10/100/1000 and 1-port FE | 8-port 10/100/1000 | 4-port 10/100/1000 + 1-port FE | 8-port 10/100/1000 | 8-port 10/100/1000 + 1-port FE | 8-port 10/100/1000 |
| Expansion I/O | 4-port 10/100/1000 or 4-port GE (SFP) | 6-port 10/100/1000 or 6-port GE (SFP) | 4-port 10/100/1000 or 4-port GE (SFP) | 6-port 10/100/1000 or 6-port GE (SFP) | None | 6-port 10/100/1000 or 6-port GE (SFP) |
| Dual Power Supplies | Not available | Not available | Not available | Yes | Not available | Yes |
| Power | AC/DC | AC/DC | AC/DC | AC/DC | AC/DC | AC/DC |
1 Maximum throughput with UDP traffic measured under ideal test conditions
2 Multiprotocol = Traffic profile consisting primarily of TCP-based protocols or applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.
3Throughput was measured using ASA CX Software Release 9.1.1 with multi-protocol traffic profile with both Application Visibility Control (AVC) and Web Security Essentials (WSE). Traffic logging was enabled as well.
4 Firewall traffic that does not go through IPS service can have higher throughput.
5 VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken into consideration as part of your capacity planning.
6 A/A = Active/Active; A/S = Active/Standby
Cisco ASA firewalls protect networks of all shapes and sizes, with consistent security across hybrid infrastructures — physical, virtual, and cloud. These solutions combine the most deployed firewall in the industry with a full complement of next-generation network security services. They protect corporate networks while providing employees with secure access to data — anytime, anywhere, using any device.
Read more about the Cisco ASA firewalls for large enterprises and data centers.
| Cisco ASA Model | ASA 5585-X with SSP10 | ASA 5585-X with SSP20 | ASA 5585-X with SSP40 | ASA 5585-X with SSP60 | ASA Services Module |
|---|---|---|---|---|---|
 |
|
|
|
 |
|
| Stateful Inspection throughput (max1) | 4 Gbps | 10 Gbps | 20 Gbps | 40 Gbps | 20 Gbps |
| Stateful Inspection throughput (multiprotocol2) | 2 Gbps | 5 Gbps | 10 Gbps | 20 Gbps | 16 Gbps |
| Next-Generation throughput3 (multiprotocol) | 2 Gbps (with ASA CX SSP-10) |
5 Gbps (with ASA CX SSP-20) |
Not available | Not available | Not available |
| IPS throughput4 (multiprotocol) | 2 Gbps (with IPS SSP-10) |
3 Gbps (with IPS SSP-20) |
5 Gbps (with IPS SSP-40) |
10 Gbps (with IPS SSP-60) |
Not available |
| Concurrent sessions | 1,000,000 | 2,000,000 | 4,000,000 | 10,000,000 | 10,000,000 |
| Connections per second | 50,000 | 125,000 | 200,000 | 350,000 | 300,000 |
| Packets per second (64 byte) | 1,500,000 | 3,000,000 | 5,000,000 | 9,000,000 | 5,000,000 |
| 3DES/AES VPN throughput5 | 1 Gbps | 2 Gbps | 3 Gbps | 5 Gbps | 2 Gbps |
| Site-to-site and IPsec IKEv1 client VPN user sessions | 5,000 | 10,000 | 10,000 | 10,000 | 10,000 |
| AnyConnect or clientless VPN user sessions | 5,000 | 10,000 | 10,000 | 10,000 | 10,000 |
| Cisco Cloud Web Security users | 7,500 | 7,500 | 7,500 | 7,500 | 7,500 |
| Integtrated I/O | 8-port 10/100/1000 and 2-port 10 GE (SFP+)6 | 8-port 10/100/1000 and 2-port 10 GE (SFP+)6 | 6-port 10/100/1000 and 4-port 10 GE (SFP+) | 6-port 10/100/1000 and 4-port 10 GE (SFP+) | Provided by the switch or router |
| Expansion I/O7 | 8-port 10 GE(SFP/SFP+) or 4-port 10 GE(SFP/SFP+) or 20-port 1 GE (12-port 1 GE SFP and 8-port 10/100/100) |
Provided by the switch or router | |||
| Dual power supplies | Yes | Yes | Yes | Yes | Yes. Provided by the switch or router |
| VLANs | 1,024 | 1,024 | 1,024 | 1,024 | 1,000 |
| High-availability support8 | 1,024 | 1,024 | 1,024 | 1,024 | 1,000 |
| Power | AC | AC | AC | AC | AC/DC provided by the switch or router |
1 Maximum throughput with UDP traffic measured under ideal test conditions
2 Multiprotocol = Traffic profile consisting primarily of TCP-based protocols/applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.
3Throughput was measured using ASA CX Software Release 9.1.1 with multi-protocol traffic profile with both Application Visibility Control (AVC) and Web Security Essentials (WSE). Traffic logging was enabled as well.
4 Firewall traffic that does not go through IPS SSP module can have higher throughput.
5 VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken into consideration as part of your capacity planning.
6 Requires a separate license
7 Half-width modules
8 A/A = Active/Active; A/S = Active/Standby